b'Audit Report 11-06 (Issued March 31, 2011)\nSecure Card Personalization System Information Technology Security Controls\n\nGPO provides personalized smartcards and identity cards for customers throughout the Federal\nGovernment. The Secure Card Personalization System (SECAPS) is the automated system used for\nproducing the cards. SECAPS was developed by GPO through a contract with General Dynamics\nInformation Technology and designed to create personalized embossed identity cards, Homeland\nSecurity Presidential Directive No. 12 (HSPD-12) compliant smartcards, and high-frequency radio\nfrequency identification cards. GPO produces cards for the Department of Homeland Security\xe2\x80\x99s\nCustoms and Border Protection\xe2\x80\x99s Trusted Traveler Program and for the Center for Medicare and\nMedicaid Services in the Department of Health and Human Services.\n\nSECAPS receives and maintains PII for purposes of card production. Recent breaches of PII at several\nFederal agencies increased the level of scrutiny over the handling of that type of sensitive\ninformation. To help protect against breaches as well as maintain an appropriate level of security,\nFederal programs must ensure that controls over PII data are in place.\n\nThe audit of SECAPS was performed to determine whether a requisite level of IT security controls in\nSECAPS maintained system integrity, confidentiality, and availability. Specific audit objectives\nincluded determining the adequacy of controls associated with the SECAPS operating system,\ndatabases, physical security, system interconnections and the transmission of PII, and purging of PII.\n\nWe issued a sensitive report that identifies opportunities to strengthen IT security controls and\nfurther reduce the potential risk of system compromise. Management concurred with each of the\nreport\xe2\x80\x99s recommendations and has either taken or proposed responsive corrective actions.\n\x0c'